7

My Mac is vulnerable, as this test shows:

x='() { :;}; echo VULNERABLE' bash -c : (source)

I am using the version of bash that came with it. I also use Homebrew. What is the preferred way to patch Bash?

Alex Shroyer
  • 233
  • 3
  • 8

3 Answers3

11

First, you don't need to do this unless you are are offering web services to the public internet from your Mac. If you are not, wait until there is an official security update from Apple.

However, if you are offering web services, you might want to update.

Official Patch

Apple has released an Official Bash Security Update Here

Checking whether you are vulnerable

To confirm that you are using an outdated bash: $ which bash /bin/bash $ /bin/bash --version GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc.

The most current bash is 4.3.25

Unofficial Update Method: Compile Bash from Source Code using Homebrew

If you don't have Xcode installed, you'll need the Xcode command line tools, which can be installed by $ xcode-select --install

Or from the developer portal https://developer.apple.com/downloads/index.action?=command%20line%20tools download command_line_tools_for_osx_10.9_september_2014.dmg

To install Brew (http://brew.sh): $ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Then do: $ brew doctor Follow any instructions if there are problems. Many common problems are addressed at http://www.moncefbelyamani.com/how-to-install-xcode-homebrew-git-rvm-ruby-on-mac/#troubleshoot-homebrew

Then update brew to the latest list of packages: $ brew update

To get the latest bash 4.3.25: $ brew install bash

This installs bash into /usr/local/Cellar/bash/4.3.25/bin/bash

The old bash and sh still exists at /bin, so after installing you'll rename the old executables to a new file. $ sudo mv /bin/bash /bin/bash_old $ sudo mv /bin/sh /bin/sh_old

If you are very paranoid, you can remove execute permissions on the bash_old $ sudo chmod a-x /bin/bash_old /bin/sh_old

Then create a symbolic link to the new bash 4.3.25 that brew installed. $ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/bash $ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/sh

Reboot and it is complete.

A warning — this may break some existing shell scripts that might rely on bash 3.2 or the differences that the Mac sh has over the linux sh. There is a much more sophisticated answer to replacing bash and sh from sources at https://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7

In most cases it is best to wait for official updates.

-- Christopher Allen

  • What about possible issues with DHCP exploits? (https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/) – I'm A Person Sep 25 '14 at 21:12
  • You can patch to avoid DHCP exploits if you are a sophisticated user with a Mac on the open internet, but I don't recommend that people patch unless they are actively offering web services. Just wildly taking advice and patching everything yourself is not a good idea unless you are a security professional, or there is a real need. The goal of this post was to inform people that might not be very sophisticated at the shell, but may be offering web services from their Mac that they believe is important, and thus they want this patch now. – Christopher Allen Sep 25 '14 at 21:16
  • I am told, but can't confirm, that Apple's default DHCP is not vulnerable to Shellshock, because the Mac's DHCP does not call a shell script when a lease has expired like it does on Linux. – Christopher Allen Sep 25 '14 at 21:31
  • According to a colleague, brew will symlink bash anyway. On top of that if your PATH is correct, it shouldn't be much of an issue. Another thing to note is that symlinking sh to bash pretty much broke my shell entirely. I undid that one... – HannesFostie Sep 26 '14 at 09:09
  • FWIW, A couple people at my current workplace followed these instructions to upgrade Bash and rendered their Macs un-bootable. We had to get in to the recovery console, unlock the Macintosh HD, and use Terminal to move the binaries back. I'm wondering if the Apple built-in bash and sh have something special needed for encrypted volumes? – Andy Shinn Feb 05 '15 at 02:09
0

Please check the version of bash in brew before you do below step:

$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/bash

$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/sh

The bash version is updated to 4.3.27 so far. if you still link 4.3.25 to /bin/bash, you Mac should not boot. if you have do that, you can boot to recovery mode and copy /bin/bash_old to /bin/bash and copy /bin/sh_old to /bin/sh.

My bash version in brew is 4.3.27, so this will work for me:

$ sudo ln -s /usr/local/Cellar/bash/4.3.27/bin/bash /bin/bash

$ sudo ln -s /usr/local/Cellar/bash/4.3.27/bin/bash /bin/sh

-1

Not good, still vulnerable!

bash-4.3$ brew upgrade bash Error: bash-4.3.25 already installed

bash-4.3$ /usr/local/Cellar/bash/4.3.25/bin/bash bash-4.3$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

vulnerable

this is a test

guilou
  • 1